C write:
On Thu, Jan 20, 2011 at 09:21, Michal Šebeň wrote:
hi folks,
as you might know, since virtualbox 4.0.0 "usb guest support" feature is now open source code, but during tests i found the problem : virtualbox needs full access to usb nodes, which of course, could lead to serious security problem (see bnc#664520 for details) - this means that (currently) virtualbox (provided by suse) doesn't have usb guest support enabled, by default
So went to read the bug report. https://bugzilla.novell.com/show_bug.cgi?id=664520
Have I got this right? .... this "security hole" could allow someone who already has full user rights on the OS to access information that he or she essentially already has rights and access to?
That seems like a real non-issue to me... like the Linux exploits that gives someone with root access a way to get root access...
Under what conditions would this USB access be a risk?
C.
If I understand that bug correctly, then problem is that VBox has full right to access usb ports. So if you run virtual machine and someone use any security hole in Virtual box, then he can with permissions of virtual box sniff e.g. USB keyboard, mouse etc. So problem is that someone who doesn't have full user rights (just vboxuser right) can sniff USB devices and also send output there (consider what you can put to USB). Just my 2c. Josef -- Josef Reidinger Appliance Toolkit team maintainer of perl-Bootloader, yast2-bootloader and parts of webyast and SLMS -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org